Cloud services, old wine in new bags?!

Is the cloud radically new?

No…. it is old wine in new bags with a twist. Already at the turn of the last millennium, I was developing, selling and implementing Cloud services for Multrix, a small Dutch independent Cloud services provider “avant la lettre”. Later on, when I was working for Shell Global Functions as Transition lead, I was a Cloud Services focal point and people often came to me with for advice on how to manage Cloud Services.

Managing cloud services doesn’t need a whole new set of skills, it is an evolution of the managed services concept. When you have been responsible for Managed Services, then you probably already possess the skills and experience to successfully manage cloud services.

Still Cloud services do bring an additional challenges, we have no control over the quality of the service. It is a black box for the customer. At best, we can contractually agree differentiated service levels to cater our needs, but in most cases, we just have to take what is being offered.

The service provider owns the assets and operates them according to their own standards

When selecting a service partner, it is key to understand the impact on the businessof possible security or reliability issues. Once we have a risk profile, we can then decide on the appropriate amount of mitigation needed to manage the risks. Be willing change plans and be prepared to stop in your tracks if the desired level of control cannot be achieved with your (prospected) service partner.

The risk of using a particular cloud service provider could outweigh the gains, it is your business that is at stake

Thus, the focus shifts to how we can achieve our goals and how we can monitor the quality of our service partners’ operations. We put more emphasis on governance and control.

DO YOU WANT TO DRIVE WITHOUT A DASHBOARD?

At present day, almost all corporates have to utilize cloud services, either full or in a hybrid form. Newly formed businesses mostly don’t even consider investing in building-up their own infrastructure.

There is RISK: Without the right governance, Cloud services could endanger your business.

EXAMPLE – BP was heavily damaged due to the Deep Horizon Accident, BP had contracted a service partner operating wells for them. There where clear established security protocols but they were ignored and the damages to the BP business was enormous

EXAMPLE – GDPR – the responsibility remains with you. When your service provider has an incident and your customer’s private data is compromised and you have not done you done due diligence, you could be heavily penalized!

Go beyond the TELL ME –-> to SHOW ME! Contractually agreed assurances are not enough. It is your business that is at risk!

The Cause: With Cloud based services we do not own the assets and we cannot influence how the services are being operated. From the customer perspective, the service is a black box. The cloud service provider could be ignoring all IT safety protocols and your organisation will not be aware of anything until a disaster happens.

THE ADVICE

Consider: Would you Buy a car without an oil gauge or a speedometer?

Understand the IT safety & reliability risks for your situation. Have a Business Impact Assessment and have a conversation with your prospective service partner on how you can get visibility on the ongoing quality of their operations. Maybe they are already doing regular an assessment like theISAE 3402 ,maybe you can contractually agree your right to audit. Also, be willing to step out of the deal if you are not able to work out these arrangements. The Opsasto article about “sourcing for operational readiness” provides some useful pointers

Improve your cost performance by early engagement of IT when sourcing for an application service. Early engagement of the IT function is key for success. Include Operational Readiness as one of your main criteria in the selection and vendor evaluation process. 90% of the service’s lifecycle costs are incurred during the operational phase. The early engagement will help bend the curve, lower the TCO and improve the cost performance.

Cloud ONBOARDING POINTERS

Process & Interfaces: Although the service provider owns the processes and tools, that doesn’t mean the customer is not involved in the operation of them. Clearly define the touch points between your organisation in the service provider processes. Establish where the service provider needs to engage you for consultation and/or approval

Risk & Controls: Understanding Risk is key for deciding on the appropriate amount of prudency. Conducting a Business Impact Assessment, will help us understand what the impact to our business will be if a security or reliability risk materializes. Be aware that this impact does not change when delivery is done through cloud providers.

EXAMPLE: You need power to run your electrical appliance. It makes no difference whether your power is delivered through the grid from the energy cloud or through the use of an in-house generator. When the power is gone, the appliance will not run.

Operational Compliance assurance: With compliance checks we can provide assurance that well-designed risk controls are in place. The standard industry approach is to provide compliance assurance through regular external audits.

However, there are situations that this would leave our organization too much exposed and we want more control then the audit report can provide. In this case we can agree operational compliance assurance through extra reporting that extends to the actual execution of the control.

EXAMPLE: we would not only look if there are well designed drilling well safety controls in place, but also if there actually being followed correctly by asking for a monthly report on the drilling sessions and the result of the safety checks.

Conclusion

The risks of cloud. Assuring secure and reliable operations entails more than signing a contract – The control and operate requirements are not always understood and this exposes your organization to undesired security and reliability risks.

Your organisation remains accountable. Even if you have contractually agreed certain activities to be carried out by a partner/vendor, it is our duty, responsibility and interest to ensure the contracted partner delivers on these commitments. It is possibly the livelihood of your business that is at stake.

Can the IT function still have a role in a cloud services delivery model.Yes, they generally have a lot of experience with IT Operations, a business can leverage that knowledge to quickly scale successful experiments to secure and reliable operation. The IT function can unburden the business of the operational governance needed to ensure secure and reliable operations. When the IT Service will be fully business operated, the IT function can provide assistance with the set-up of the operate governance within the business. Often this is also a good workable approach for BiModalIT set-ups.

Do Cloud services fit in existing organisations? In essence, it is not different than managing the contract performance of a managed service provider. However organisations that do not have strong governance in place will need to put extra efforts in that area